Summary: SELinux is preventing /usr/lib64/chromium-browser/chrome-sandbox "sys_ptrace" access. Detailed Description: [chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome-sandbox. It is not expected that this access is required by chrome-sandbox and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c 0.c1023 Target Objects None [ capability ] Source chrome-sandbox Source Path /usr/lib64/chromium-browser/chrome-sandbox Port <Unknown> Host (removed) Source RPM Packages chromium-4.0.252.0-0.1.20091119svn32498.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-46.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 5 First Seen Mon 23 Nov 2009 10:15:29 AM EST Last Seen Mon 23 Nov 2009 10:24:07 AM EST Local ID 9acc30fd-6c76-45ac-bc16-fdd596ee66df Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1258989847.61:350): avc: denied { sys_ptrace } for pid=15137 comm="chrome-sandbox" capability=19 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 tclass=capability node=(removed) type=SYSCALL msg=audit(1258989847.61:350): arch=c000003e syscall=89 success=yes exit=14 a0=7fffdf085610 a1=7fffdf085510 a2=ff a3=ffffffff items=0 ppid=15114 pid=15137 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib64/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-46.fc12,catchall,chrome-sandbox,chrome_sandbox_t,chrome_sandbox_t,capability,sys_ptrace audit2allow suggests: #============= chrome_sandbox_t ============== allow chrome_sandbox_t self:capability sys_ptrace;
Sorry if these are dupes of bug 540529; didn't want to miss anything.
Same happens on i386. (This was a "yum upgrade" from f11 if that makes any difference. --------------------------------------------------------- Summary: SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "sys_ptrace" access. Detailed Description: [chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome-sandbox. It is not expected that this access is required by chrome-sandbox and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0 Target Context unconfined_u:unconfined_r:chrome_sandbox_t:s0 Target Objects None [ capability ] Source chrome-sandbox Source Path /usr/lib/chromium-browser/chrome-sandbox Port <Unknown> Host [redacted] Source RPM Packages chromium-4.0.252.0-0.1.20091119svn32498.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name [recacted] Platform Linux [redacted] 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 Alert Count 1 First Seen Sat 28 Nov 2009 08:19:34 PM MST Last Seen Sat 28 Nov 2009 08:20:18 PM MST Local ID f3b2b71f-ef9c-456b-90c5-f374cd43976d Line Numbers Raw Audit Messages node=[redacted] type=AVC msg=audit(1259464818.590:309): avc: denied { sys_ptrace } for pid=2819 comm="chrome-sandbox" capability=19 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0 tclass=capability node=[redacted] type=SYSCALL msg=audit(1259464818.590:309): arch=40000003 syscall=85 success=yes exit=15 a0=bfcd097c a1=bfcd087c a2=ff a3=8049b52 items=0 ppid=2769 pid=2819 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0 key=(null)
ou can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-52.fc12.noarch
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
Does not seem to be fixed. I updated to 3.6.32-52.fc12, rebooted (and had fixfiles run), but I'm still getting the warning. My chromium is also up to date: chromium-4.0.252.0-0.1.20091119svn32498.fc12.i686 v8-2.0.0-1.20091118svn3334.fc12.i686 Here's the SELinux error: Summary: SELinux is preventing /usr/lib/chromium-browser/chrome-sandbox "sys_ptrace" access. Detailed Description: [chrome-sandbox has a permissive type (chrome_sandbox_t). This access was not denied.] SELinux denied access requested by chrome-sandbox. It is not expected that this access is required by chrome-sandbox and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:chrome_sandbox_t:s0 Target Context unconfined_u:unconfined_r:chrome_sandbox_t:s0 Target Objects None [ capability ] Source chrome-sandbox Source Path /usr/lib/chromium-browser/chrome-sandbox Port <Unknown> Host [redacted] Source RPM Packages chromium-4.0.252.0-0.1.20091119svn32498.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-52.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name [redacted] Platform Linux [redacted] 2.6.31.6-145.fc12.i686 #1 SMP Sat Nov 21 16:28:23 EST 2009 i686 i686 Alert Count 2 First Seen Thu 03 Dec 2009 06:27:57 AM MST Last Seen Thu 03 Dec 2009 07:27:25 AM MST Local ID b4235d09-0ba1-45ee-92a2-39c4a05f1fed Line Numbers Raw Audit Messages node=[redacted] type=AVC msg=audit(1259850445.577:36): avc: denied { sys_ptrace } for pid=2038 comm="chrome-sandbox" capability=19 scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0 tcontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0 tclass=capability node=[redacted] type=SYSCALL msg=audit(1259850445.577:36): arch=40000003 syscall=85 success=yes exit=9 a0=bfb41f1c a1=bfb41e1c a2=ff a3=8049b52 items=0 ppid=2033 pid=2038 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="chrome-sandbox" exe="/usr/lib/chromium-browser/chrome-sandbox" subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0 key=(null)
Make sure, that you also updated selinux-policy-targeted package. rpm -q selinux-policy-targeted
I have fixed the package in 54 to start requiring both packages. su -c 'yum --enablerepo=updates-testing update selinux-policy-targeted'
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
Pardon the n00b question... I tried to update to -55, but "yum" said that no new updates are available. Is there a way to get the new RPM(s) and install them? Or do I just wait until bodhi moves them to the updates-testing repo? @Miroslav -- thanks for the tip; it sounds like @Daniel fixed it programmatically, but I'll keep it in mind that I need to upgrade them in lock-step. Do I need to run "fixfiles" each time, though?
You can wait for it to get pushed or pull the rpms from http://koji.fedoraproject.org/koji/buildinfo?buildID=144358 You should not need to run fixfiles more then once.
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
I'm obviously still being dense, but I'm still only seeing -52 on the updates-testing page: $ uname -a Linux [redacted] 2.6.31.6-145.fc12.i686 #1 SMP Sat Nov 21 16:28:23 EST 2009 i686 i686 i386 GNU/Linux $ sudo yum clean all Loaded plugins: dellsysidplugin2, fastestmirror, presto, refresh-packagekit Cleaning up Everything Cleaning up list of fastest mirrors $ sudo yum --enablerepo=updates-testing list selinux-policy{,-targeted} Loaded plugins: dellsysidplugin2, fastestmirror, presto, refresh-packagekit Loading mirror speeds from cached hostfile * fedora: mirror.steadfast.net * rpmfusion-free: rpmfusion.famillecollet.com * rpmfusion-free-updates: rpmfusion.famillecollet.com * rpmfusion-nonfree: rpmfusion.famillecollet.com * rpmfusion-nonfree-updates: rpmfusion.famillecollet.com * updates: mirror.steadfast.net * updates-testing: mirrordenver.fdcservers.net Installed Packages selinux-policy.noarch 3.6.32-52.fc12 @updates-testing selinux-policy-targeted.noarch 3.6.32-52.fc12 @updates-testing Help?
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Tony, I would find a different mirror
(In reply to comment #15) > Tony, I would find a different mirror Daniel -- It worked once it got into stable. I'll look at fixing my mirrors the next time I need something out of updates-testing. (I'm currently using "yum-fastestmirror", but I'm also behind an HTTP proxy, so who knows what went wrong.) Thanks for fixing it, regardless -- nice to not see the scary yellow star in my top bar. :) Take care, and have a good holiday season!
Watch out for the scarier red star. :^)
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.